Land #10507, GPP creds for db_import

2018-08-28 11:45:51 -05:00 · 2018-08-28 11:45:51 -05:00 · 4803c889f9
parent 1d47b7f880 9b3e0d8306
commit 4803c889f9
7 changed files with 55 additions and 1 deletions
--- a/lib/msf/core/db_manager/import.rb
+++ b/lib/msf/core/db_manager/import.rb
@ -21,6 +21,7 @@ module Msf::DBManager::Import
  autoload :CI, 'msf/core/db_manager/import/ci'
  autoload :Foundstone, 'msf/core/db_manager/import/foundstone'
  autoload :FusionVM, 'msf/core/db_manager/import/fusion_vm'
+  autoload :GPP, 'msf/core/db_manager/import/gpp'
  autoload :IP360, 'msf/core/db_manager/import/ip360'
  autoload :IPList, 'msf/core/db_manager/import/ip_list'
  autoload :Libpcap, 'msf/core/db_manager/import/libpcap'
@ -47,6 +48,7 @@ module Msf::DBManager::Import
  include Msf::DBManager::Import::CI
  include Msf::DBManager::Import::Foundstone
  include Msf::DBManager::Import::FusionVM
+  include Msf::DBManager::Import::GPP
  include Msf::DBManager::Import::IP360
  include Msf::DBManager::Import::IPList
  include Msf::DBManager::Import::Libpcap
@ -164,6 +166,7 @@ module Msf::DBManager::Import
  # :ci_xml
  # :foundstone_xml
  # :fusionvm_xml
+  # :gpp_xml
  # :ip360_aspl_xml
  # :ip360_xml_v3
  # :ip_list
@ -358,6 +361,9 @@ module Msf::DBManager::Import
        when "main"
          @import_filedata[:type] = "Outpost24 XML"
          return :outpost24_xml
+        when /Groups|DataSources|Drives|ScheduledTasks|NTServices/
+          @import_filedata[:type] = "Group Policy Preferences Credentials"
+          return :gpp_xml
        else
          # Give up if we haven't hit the root tag in the first few lines
          break if line_count > 10
--- a/lib/msf/core/db_manager/import/gpp.rb
+++ b/lib/msf/core/db_manager/import/gpp.rb
@ -0,0 +1,41 @@
+require 'rex/parser/group_policy_preferences'
+
+module Msf::DBManager::Import::GPP
+  def import_gpp_xml(args = {}, &block)
+    return unless args && args[:data] && !args[:data].empty?
+
+    gpp = Rex::Parser::GPP.parse(args[:data])
+
+    return unless gpp && gpp.any?
+
+    wspace = find_workspace(args[:workspace])
+
+    return unless wspace && wspace.respond_to?(:id)
+
+    gpp.each do |p|
+      # Skip incomplete creds
+      next unless p[:USER] && p[:PASS]
+
+      # Store decrypted creds
+      create_credential(
+        workspace_id: wspace.id,
+        origin_type:  :import,
+        filename:     args[:filename],
+        username:     p[:USER],
+        private_data: p[:PASS],
+        private_type: :password
+      )
+    end
+
+    # Store entire file as loot, including metadata
+    report_loot(
+      workspace: wspace,
+      path:      args[:filename],
+      name:      File.basename(args[:filename]),
+      data:      args[:data],
+      type:      'microsoft.windows.gpp',
+      ctype:     'text/xml',
+      info:      gpp
+    )
+  end
+end
--- a/lib/msf/core/rpc/v10/rpc_db.rb
+++ b/lib/msf/core/rpc/v10/rpc_db.rb
@ -1493,6 +1493,7 @@ public
  #  * :ci_xml
  #  * :foundstone_xml
  #  * :fusionvm_xml
+  #  * :gpp_xml
  #  * :ip360_aspl_xml
  #  * :ip360_xml_v3
  #  * :ip_list
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@ -1428,6 +1428,7 @@ class Db
    print_line "    CI"
    print_line "    Foundstone"
    print_line "    FusionVM XML"
+    print_line "    Group Policy Preferences Credentials"
    print_line "    IP Address List"
    print_line "    IP360 ASPL"
    print_line "    IP360 XML v3"
--- a/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
+++ b/spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
@ -84,6 +84,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
          "    CI",
          "    Foundstone",
          "    FusionVM XML",
+          "    Group Policy Preferences Credentials",
          "    IP Address List",
          "    IP360 ASPL",
          "    IP360 XML v3",
--- a/spec/support/shared/examples/msf/db_manager/import.rb
+++ b/spec/support/shared/examples/msf/db_manager/import.rb
@ -21,6 +21,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import' do
  it_should_behave_like 'Msf::DBManager::Import::CI'
  it_should_behave_like 'Msf::DBManager::Import::Foundstone'
  it_should_behave_like 'Msf::DBManager::Import::FusionVM'
+  it_should_behave_like 'Msf::DBManager::Import::GPP'
  it_should_behave_like 'Msf::DBManager::Import::IP360'
  it_should_behave_like 'Msf::DBManager::Import::IPList'
  it_should_behave_like 'Msf::DBManager::Import::Libpcap'
@ -38,4 +39,4 @@ RSpec.shared_examples_for 'Msf::DBManager::Import' do
  it_should_behave_like 'Msf::DBManager::Import::Retina'
  it_should_behave_like 'Msf::DBManager::Import::Spiceworks'
  it_should_behave_like 'Msf::DBManager::Import::Wapiti'
-end
+end
--- a/spec/support/shared/examples/msf/db_manager/import/gpp.rb
+++ b/spec/support/shared/examples/msf/db_manager/import/gpp.rb
@ -0,0 +1,3 @@
+RSpec.shared_examples_for 'Msf::DBManager::Import::GPP' do
+  it { is_expected.to respond_to :import_gpp_xml }
+end